CVE-2026-10544NVD

Vulnerability Summary

Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider.

This issue affects :

* Devolutions Server 2026.2.4.0
* Devolutions Server 2026.1.20.0 and earlier

Severity Level

MEDIUM(6.5)

Published Date

Jun 8, 2026

Last Modified

Jun 12, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.04%Probability

Root Weakness (CWE)

CWE-78: OS Command Injection ↗

The software constructs all or part of an OS command using externally-influenced input, but does not properly neutralize special elements.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityLow

IntegrityLow

AvailabilityNone

External References

https://devolutions.net/security/advisories/DEVO-2026-0015/

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-10544NVD

Vulnerability Summary

External References